Hi! thank you for this video it was really helpful, but I got stocked at some point after everything the container refused to load setting the thehive to latest version meanwhile changing the version to 5.2 it load up but both cortex and misp refused to authenticate see attached
How do you enable Analyzers and Responders to appear in Cortex? This step-by-step guide is not shown in the videos, they are already enabled on your screen. In my configuration they do not appear
the mapped volume for application.conf is actually creating a folder instead of a file, would you be able to share the application.conf for cortex you have used on your github ?
Thanks for watching, in this video I did not supply my own application.conf file, however, the issue you describe is a known docker issue, if the file on the host does not exist it will create a directory, so you will need to make sure you manually create the application.conf file in that location before you run docker-compose, hopefully this helps.
I am having issues with the MISSP endpoint after updating the compose file. For example VPS-IP:80 or 443. Not working. Is it because of the missp.local variable? Or do you have any similar issues,? All other services work perfectly anyway.
Using the Docker CLI on the server running your docker containers, type: sudo docker ps this will list all running containers, confirm that the MISP container is running correctly and that the ports are listening and maps to 443/80. If all seems in order here, another thing that comes to mind is the hostname environment variable in the docker-compose.yml config, check that its using your IP address and not the 10.200.200.253 like I use in my setup. - "HOSTNAME=10.200.200.253" The misp.local name we give to the MISP service wont make a difference here, it is only used within the underlaying docker container network for communication between the containers themselves, they have their own DNS type service running in the background which resolves those hostnames.
@@ls111cyberEd Thank you for your prompt reply I really appreciate I did this to troubleshoot the issues and I saw this. #docker logs 0ea9cf341f51 ... chown -R www-data.www-data /var/www/MISP ... chown: cannot dereference '/var/www/MISP/INSTALL/old/INSTALL.ubuntu1604.txt': No such file or directory
i have been troubleshooting an issue with the analyzers failing,workers cant be run error. Have you come across this issue, is this an issue with the docker networking?
Hi, thanks for watching! Yes I had similar issues when creating the lab and found that it was due to the way I had my volumes setup. In my case, the docker container that runs the analyzer was unable to access the job data created by Cortex, so I had to map everything to /tmp/cortex-jobs on the host and setup the environment variables to point both job_directory and docker_job_directory to the same /tmp/cortex-jobs to make this work. I used this documentation to point me in the correct direction: github.com/TheHive-Project/CortexDocs/blob/master/installation/install-guide.md Hopefully it helps.
Initially no, the hive/cortex won't block anything it's being used to analyze the detected IOC's and compare it against known intelligence found on VirusTotal etc. If you need a blocking response you will need to set up a responder, for e.g. if you use Wazuh you can use their free responder to block IP observables, there are also other options available.
Hi, thanks for watching. Please check out this documentation: github.com/TheHive-Project/CortexDocs/blob/master/installation/install-guide.md I had similar issues when creating the lab and found that it was due to how I set my volumes up. In my case, the docker container that runs the analyzer was unable to access the job data created by Cortex, so I had to map everything to /tmp/cortex-jobs on the host and setup the environment variables to point both job_directory and docker_job_directory to the same /tmp/cortex-jobs to make this work. Perhaps it's the same issue in your case, hopefully this helps.
This series of videos is really good. When will the next episode be updated? EP13 EP13!!!
Keep them coming, at least once a week please.
Are you still planning to make that Wazuh integration mentioned in earlier videos? :)
Hi, when are you planning to finish up this home lab?
Hi! thank you for this video it was really helpful, but I got stocked at some point after everything the container refused to load setting the thehive to latest version meanwhile changing the version to 5.2 it load up but both cortex and misp refused to authenticate see attached
How do you enable Analyzers and Responders to appear in Cortex? This step-by-step guide is not shown in the videos, they are already enabled on your screen. In my configuration they do not appear
Waiting for EP 13, please..
the mapped volume for application.conf is actually creating a folder instead of a file, would you be able to share the application.conf for cortex you have used on your github ?
Thanks for watching, in this video I did not supply my own application.conf file, however, the issue you describe is a known docker issue, if the file on the host does not exist it will create a directory, so you will need to make sure you manually create the application.conf file in that location before you run docker-compose, hopefully this helps.
@@ls111cyberEd yes I also realised this, nevertheless, creating the application.conf file manually fix this.
I am having issues with the MISSP endpoint after updating the compose file. For example VPS-IP:80 or 443. Not working.
Is it because of the missp.local variable?
Or do you have any similar issues,?
All other services work perfectly anyway.
Using the Docker CLI on the server running your docker containers, type: sudo docker ps this will list all running containers, confirm that the MISP container is running correctly and that the ports are listening and maps to 443/80. If all seems in order here, another thing that comes to mind is the hostname environment variable in the docker-compose.yml config, check that its using your IP address and not the 10.200.200.253 like I use in my setup.
- "HOSTNAME=10.200.200.253"
The misp.local name we give to the MISP service wont make a difference here, it is only used within the underlaying docker container network for communication between the containers themselves, they have their own DNS type service running in the background which resolves those hostnames.
@@ls111cyberEd Thank you for your prompt reply I really appreciate
I did this to troubleshoot the issues and I saw this.
#docker logs 0ea9cf341f51
... chown -R www-data.www-data /var/www/MISP ...
chown: cannot dereference '/var/www/MISP/INSTALL/old/INSTALL.ubuntu1604.txt': No such file or directory
i have been troubleshooting an issue with the analyzers failing,workers cant be run error. Have you come across this issue, is this an issue with the docker networking?
Hi, thanks for watching! Yes I had similar issues when creating the lab and found that it was due to the way I had my volumes setup. In my case, the docker container that runs the analyzer was unable to access the job data created by Cortex, so I had to map everything to /tmp/cortex-jobs on the host and setup the environment variables to point both job_directory and docker_job_directory to the same /tmp/cortex-jobs to make this work. I used this documentation to point me in the correct direction:
github.com/TheHive-Project/CortexDocs/blob/master/installation/install-guide.md
Hopefully it helps.
@@ls111cyberEd oh great thank you for the info, I will give it a try.
@@ls111cyberEd Got it working thank you!
I don't understand what should i add so i have the analyzer enabled ?
After i integrate virus total can the hive/cortex block any malicious ip if a user trying to access the malicious ip?
Initially no, the hive/cortex won't block anything it's being used to analyze the detected IOC's and compare it against known intelligence found on VirusTotal etc. If you need a blocking response you will need to set up a responder, for e.g. if you use Wazuh you can use their free responder to block IP observables, there are also other options available.
Can you deploy Kali Purple for defense in this lab?
Thanks for watching! Yes, you can, this will work with any OS running Docker.
hello i have problem with cortex analyzer. it says "errorMessage": "Worker cannot be run", how to fix it?
thank you
Hi, thanks for watching. Please check out this documentation:
github.com/TheHive-Project/CortexDocs/blob/master/installation/install-guide.md
I had similar issues when creating the lab and found that it was due to how I set my volumes up. In my case, the docker container that runs the analyzer was unable to access the job data created by Cortex, so I had to map everything to /tmp/cortex-jobs on the host and setup the environment variables to point both job_directory and docker_job_directory to the same /tmp/cortex-jobs to make this work.
Perhaps it's the same issue in your case, hopefully this helps.
Why i have 0 avaible analyzers
What is the username / password for thehive,cortx,misp ?
This information has been documented in GitHub:
github.com/ls111-cybersec/thehive-cortex-misp-docker-compose-lab11update
@@ls111cyberEd I was not able to login with those username/password that given on the github. I am using docker compose file
it is working now... I must did something wrong
Man, cortex analyzer giving me a rough time.